CVE-2018-14990 : What You Need to Know

A vulnerability affecting the Coolpad Defiant, ZTE ZMAX Pro, and T-Mobile Revvl Plus devices due to a pre-installed Rich Communication Services (RCS) app.

Understanding CVE-2018-14990

What is CVE-2018-14990?

The vulnerability involves a vulnerable RCS app that allows any app on the device to send and delete text messages programmatically, controlled by an attacker.

The Impact of CVE-2018-14990

The vulnerability enables unauthorized apps to manipulate text messages without user consent, posing a risk of privacy invasion and potential abuse.

Technical Details of CVE-2018-14990

Vulnerability Description

The RCS app on the mentioned devices allows unauthorized apps to send and delete text messages without user intervention.

Affected Systems and Versions

Coolpad Defiant with build fingerprint Coolpad/cp3632a/cp3632a:7.1.1/NMF26F/099480857:user/release-keys
ZTE ZMAX Pro with build fingerprint ZTE/P895T20/urd:6.0.1/MMB29M/20170418.114928:user/release-keys
T-Mobile Revvl Plus with build fingerprint Coolpad/alchemy/alchemy:7.1.1/143.14.171129.3701A-TMO/buildf_nj_02-206:user/release-keys

Exploitation Mechanism

Vulnerable RCS app with package names com.suntek.mway.rcs.app.service and com.rcs.gsma.na.sdk
Allows any app to send text messages programmatically
Attacker controls message content and number
Zero-permission apps can execute the attack

Mitigation and Prevention

Immediate Steps to Take

Regularly monitor for unusual text message activities
Avoid downloading apps from untrusted sources
Keep devices updated with the latest security patches

Long-Term Security Practices

Use reputable security apps to scan for vulnerabilities
Implement app permission restrictions
Educate users on safe app usage practices

Patching and Updates

Apply security updates provided by device manufacturers promptly